Requirements and Limitations
The KMS feature has the following requirements and limitations:
- The feature is included in the Veeam Data Platform Advanced or Premium License. For more details about all license types, see Veeam Data Platform Feature Comparison. Data decryption is available for all licenses.
- Veeam Backup & Replication supports KMS servers that meet the following requirements:
- Key Management Interoperability Protocol (KMIP) Profile v1.4 or earlier versions (1.2 to 1.4 are preferable). Later versions of KMIP Profiles are not supported by Veeam Backup & Replication.
- Requirements for a baseline server. For more information, see the Baseline Server section in the KMIP Profile standard.
- Requirements for an asymmetric key lifecycle server. For more information, see the Asymmetric Key Lifecycle Server section in the KMIP Profile standard.
The list of tested KMS solutions includes the following vendor product lines:
- To decrypt data, the KMS server must support:
- Requirements for a basic cryptographic server. For more information, see the Basic Cryptographic Server section in the KMIP Profile standard.
- SHA-1 hashing algorithm.
- Optimal Asymmetric Encryption Padding (OAEP).
In other cases, Veeam Backup & Replication will retrieve private keys from the KMS server to decrypt backup files. These keys are not stored in the configuration database and deleted immediately after decryption.
- [For Cloud Connect] To use the KMS feature in the Veeam Cloud Connect environment, both a service provider and a tenant must run Veeam Backup & Replication 12.1 (build 18.104.22.1681) or later.
- [For Cloud Connect] If a tenant uses the same KMS server as a service provider, backup files stored in the tenant quota cannot be decrypted on the service provider side.